How to filter a specific time in Splunk?

sanglap · ‎07-30-2022

I want to perform a search query which can give me results with respective to a specific time.

For example i have a particular time as this: 2022-07-29 18:33:20

My query:

index="*" sourcetype="pan:threat" 10.196.246.104 url=* earliest=relative_time("2022-07-29 18:33:20","-1h") AND latest = relative_time("2022-07-29 18:33:20","+1h")
| stats values(url) as url by _time,dest_ip,dest_port,app,category,rule,action,user

I am not getting appropriate results with this, can anyone suggest how i can do the filtration on the basis of a particular time.

ITWhisperer · ‎07-31-2022

index="*" sourcetype="pan:threat" 10.196.246.104 url=* 
[| makeresults
 | eval earliest=relative_time("2022-07-29 18:33:20","-1h")
 | eval latest = relative_time("2022-07-29 18:33:20","+1h")
 | fields earliest latest]
| stats values(url) as url by _time,dest_ip,dest_port,app,category,rule,action,user

jamie00171 · ‎07-31-2022

Hi @sanglap

Can you just provide the time like:

earliest="2022-07-29:18:33:20" latest="2022-07-29:18:34:20"

There are some examples here: https://docs.splunk.com/Documentation/SCS/current/Search/Timemodifiers#Examples

Thanks,

Jamie

How to filter a specific time in Splunk?

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation

How to filter a specific time in Splunk?

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...